The how’s and why’s of email disclaimers.
In a recent post, I noted the following as one of the items to implement in securing mail relays.
Add a legal disclaimer to all e-mails. All e-mails, both incoming and outgoing should have a disclaimer. This is a simple thing to add to an e-mail that will save a lot of grief down the track. It may not stop something bad from happening but least it limits the liability of the organization to a small extent.
I was asked to debate this point and I shall endeavour to do so in this post.
There are a number of situations where a disclaimer aid in protecting an organisation. One of these is in allowing an organisation to hold some control over documents that have left the organisation and the protection of trade secrets. There is also a defence from the point of view of copyright infringement to some extent as well.
Copyright infringement issues
Mann and Belzley’s position holds the least cost intermediary liable is likely to be upheld under existing UK, US and Australian law. The positions held by the court in Telstra v Apra and Moorhouse v UNSW Define the necessary conditions to detail public dissemination and infringement through a sanctioned arrangement. The public dissemination of music clips sent to another user or group of users through email could be seen as being analogous to the copying of a manuscript with the organisation’s disclaimer being held as an inadequate control if this is all that has been done. It is clear that the provision of technical controls, monitoring and issuing of notices by the organisation would be also be needed for the disclaimer to be effective and for it to be seen that the organisation has made an attempt at controlling copyright infringement than enforcing infringements against individuals within the organisation.
Several cases have occurred in the US involving ISPs or other service providers that hosted copyright material made available to those accessing the site. The distribution by email can be seen as analogous to some of these. A significant decision was made in Religious Technology Center v Netcom On–line Communication Services, Inc. The case involved the posting of information online which was disseminated across the Internet. The postings were cached by the hosting provider for several days, and robotically stored by Netcom’s system for 11 days. The court held that Netcom was not a direct infringer in summary judgment. It was held that the mere fact that Netcom’s system automatically made transitory copies of the works did not constitute copying by Netcom. The court furthermore discarded arguments that Netcom was vicariously liable. The Electronic Commerce (EC Directive) Regulations 2002 warrants that the equivalent outcome would be expected in the UK.
The US Congress has acted in response with a number of statutes by and large that are intended to protect the intermediary from the threat of liability. The Digital Millennium Copyright Act (DMCA) envelops the possibility of liability from copyright liability. The DMCA is prepared such that it exempts intermediaries from liability for copyright infringement whilst they adhere to the measures delineated in the statute. These in the main compel them to eliminate infringing material on the receipt of an appropriate notification from the copyright holder. The email disclaimer can constitute an appropriate notification.
Here, the organisation can be seen as an intermediary as long as they are taking steps to control the dissemination of copyright materials inside and through the organisation.
A trademark infringement refers to the unauthorized use of a protected trademark or service mark, or use of something very similar to a protected mark. The success of any legal action to stop (or injunct) the infringement is directly related to whether the defendant's use of the mark causes a likelihood of confusion in the average consumer. If a court determines that a reasonable average consumer would be confused then the owner of the original mark can prevent the other party from making use of the infringing mark and even possibly collect damages. A party that holds the legal rights to a particular trademark can sue other parties for trademark infringement based on the standard “likelihood of confusion”.
There are a number of ways that trademark infringements could occur on the Internet. An ICP could add metatags to increase traffic (either with or without the client’s explicit permission) and equally, a client of an ISP could embed violating material into its WebPages. An ISP caching this information may inadvertently cache this material even after a take down order had been applied to the original offender.
Disclaimers can add to the level of notification and the protection of trademarked intellectual property. In themselves again, the disclaimer does little to stop infringement, but it adds to the evidence that will be available to be used in court for the defence of that mark.
The first claims in the UK of defamation using e-mail as a means of distribution occurred in the mid 1990’s. In one, the Plaintiff alleged that the Defendant published a message using a computer system asserting that the Plaintiff had been sacked for incompetence. The case did not include the service provider as a defendant. In another case and more widely publicised case, a police officer on complaining to his local branch of a national supermarket chain about an allegedly bad joint of meat was dismayed to discover that the store had distributed an e-mail communication to other branches of the chain. The subject of the e-mail stated; “Refund fraud -- urgent, urgent urgent”. He settled with the chain for a substantial sum as damages and an apology in open court from the supermarket management.
This issue has also occurred in the US. Litigation was started against CompuServe, an intermediary, as a result of assertions made in an electronic newsletter. CompuServe successfully argued that its responsibility was comparable to that of a library or a book seller. In Stratton-Oakmont, Inc. v Prodigy Service Co., the plaintiff asserted that a communication distributed by an unidentified third party on Prodigy’s “Money Talk” anonymous feedback site damaged the plaintiff’s IPO due to the libellous nature of the message. It was asserted that this resulted in a substantial loss.
Prodigy filed a motion for summary judgment. It asserted that the decision in CompuServe applied making them the simple distributor of the communication and hence not liable for the substance of the message. The court determined that Prodigy was a publisher as they implemented editorial control over the contents of the “Money Talk” site. As the editors used screening software to eliminate offensive and obscene postings and used a moderator to manage the site, they could be held accountable for the posting of a defamatory statement. Prodigy settled but subsequently unsuccessfully attempted to vacate the judgment. The Communications Decency Act (CDA) was subsequently enacted in the US to present a defence to intermediaries that that screen or block offensive matter instigated by another. The CDA presents, inter alia, that the intermediary may not be determined to be the publisher of any matter presented by another. Further, an intermediary shall be liable for any deed engaged in “good faith” to limit the spread of “obscene, lewd, lascivious, filthy, excessively violent, harassing or otherwise objectionable” materials.
Users view the Internet as if it was a telephone service with no enduring record. E-mails frequently contain imprudent declarations and japes. These communications offer an evidential confirmation absent in a telephone exchange. Deleted e-mail can persist in a variety of locations and forms, including back-up tape or disk, on the ISP and may have been forwarded to any number of other people. Any of these are subject to disclosure in litigation.
Western Provident v Norwich Union concerned a libel by e-mail. Communications exchanged within Norwich Union by its staff libellously concerned Western Provident’s financial strength. The case settled at a cost of £450,000 in damages and costs. For electronic distributions, the moderators of bulletin boards and Internet service providers are implicated only if they exercise editorial control or otherwise know directly of a libellous communication. In Godfrey v. Demon Internet, Godfrey informed the ISP of the existence of a libellous communication on a site managed by Demon. Demon did not act to remove the communication for the period of two weeks that such communications were made available on the site. The court asserted that as soon as Demon was alerted to the communication they ought to have acted. It was held that:
“The transmission of a defamatory posting from the storage of a news server constituted a publication of that posting to any subscriber who accessed the newsgroup containing that posting. Such a situation was analogous to that of a bookseller who sold a book defamatory of a plaintiff, to that of a circulating library which provided books to subscribers and to that of distributors. Thus in the instant case D Ltd was not merely the owner of an electronic device through which postings had been transmitted, but rather had published the posting whenever one of its subscribers accessed the newsgroup and saw that posting”.
Shevill v Presse Alliance established that in the European Union where an international libel is committed, an action for libel may be initiated against the publisher. This may be commenced either in the country that the publisher is based or in any other country where the publication was disseminated and where the Plaintiff had experienced damaged reputation. There is little reason to doubt that principles applicable to libel through the press will apply equally to computer libel.
Australian defamation laws are complicated by a state based nature in that they differ across each jurisdiction in content and available defences. Various Australian state laws include offence provisions for both civil defamation and criminal defamation. Civil liability transpires as a consequence of publications that are expected to harm a person's reputation and the penalties are monetary. Criminal liability transpires as a consequence of publications that concern society, including those with a propensity to imperil the public peace, and penalties in the majority of jurisdictions incorporate incarceration. Significant distinctions exist between civil and criminal defamation law in relation to both liability and defences.
The Western Australian Supreme Court decided in Rindos v. Hardwick that statements distributed in a discussion list can be defamatory and lead to an action. The court thought that it was inappropriate to apply the rules differently to the Internet from other means of communications. The court acknowledged the instigator’s accountability for defamatory proclamations broadcast across a discussion group. The matter of the liability of other participants on the list was not considered during the trial.
It is considered unlikely that an ISP would scrutinize all material presented across its network and this may not be economically feasible. Mann & Belzley address this through “targeting specific types of misconduct with tailored legal regimes”. These regimes would leave the ISP responsible for the defamatory publications of its users where they have failed to take reasonable action to mitigate these infringements. The existing law in Australia leaves all parties considered to be a “publisher” liable. Cases do exist where ISPs have removed content proactively.
The common law defence of innocent dissemination exists in Australia. Thompson v Australian Capital Television demonstrated this when Channel 7 asserted that transmission of a “live” show to the ACT retransmitted from Channel 9 NSW in effect placed it as a subordinate publisher that disseminated the material of the real publisher devoid of any material awareness or influence over the content of the show. They argued that this was analogous to a printer or newspaper vendor.
The High Court held that the defence of innocent dissemination is available to television broadcasts as well as printed works. In this instance it was held that the facts demonstrated Channel 7 maintained the capacity to direct and oversee the material it simulcasts. The show was broadcast as a live program through Channel 7's choice. They chose this format in full knowledge that a diffusion of the show would be next to instantaneous. The where further conscious of the nature of the show, a “live-to-air current affairs programme” and understood that this program conceded an elevated risk of transmitting defamatory material. It was decided by the facts that Channel 7 was not a subordinate publisher on this occasion.
The Federal Broadcasting Services Act 1992 affords a legislative defence to an ISP or Internet Content Host (ICH) that transmits or hosts Internet based content in Australia if they can demonstrate that they were reasonably unaware of the defamatory publication. s.91(1) of Schedule 5 to the Broadcasting Services Act grants that a law of a State or Territory, or a rule of common law or equity, has no effect to the extent to which the ISP “was not aware of the nature of the internet content”.
The BSA defines "internet content" to exclude "ordinary electronic mail". This is a communication conveyed using a broadcasting service where the communication is not "kept on a data storage device". Consequently, the s.91 defence will not be offered in cases concerning such material. In such cases, an ISP or ICH may be still attempt to rely on the defence of innocent dissemination. The applicability of the common law defence of innocent dissemination remains to be determined by the Australian courts. As a consequence, any reliance on these provisions by an ISP or ICHs carries a measure of risk.
Harassment may occur through all forms of media, the Internet is no exception. Junk mail, sexually offensive e-mails and threats delivered through online means (including both e-mail and instant messaging) are all forms of harassment. The inappropriate accessing of sexually explicit, racist or otherwise offensive material at the workplace is another form of harassment. This includes the sending of unwelcome messages that may contain offensive material to another co-worker.
E-mail Crimes and Violations
In reality, e-mail crime is not new. Instead, the Internet has enabled many old crimes to be reborn. Many morally violating acts such as child pornography have become far more widespread and simpler due to the ease and reach of e-mail. Many traditional crimes such as threats and harassment, blackmail, fraud and criminal defamation have not changed in essence, but the ease of e-mail has made them more prevalent.
Distributing a Virus or other Malware
The Internet allows an individual to either inadvertently or purposely disseminate malware (such as a virus) to other systems globally. The potential impact could encompass the “infection” or compromise of millions of hosts. This has occurred. A “harmless experiment” by Cornell University student Robert Morris involved the release onto the Internet of a type of malware called a “worm” that compromised over 6,000 computers and required millions of dollars worth of time to eradicate. As several “non-public computers” run by the US Government were damaged , Morris was prosecuted under the US Computer Fraud and Abuse Act (CFAA). He was convicted notwithstanding his declaration that he had no malicious objective to cause damage.
It is probable that a service provider or content hosting entity will face a degree of liability dependant on intention. If malware is intentionally posted such as in the Morris’ case, no uncertainty as to whether the conception and insertion of the malware was deliberate exists. Morris stated that he did not intend harm, but the fact remained that he intentionally created and released the worm. In the United States both Federal and State legislation has been introduced to deal with the intentional formation and release of malware.
In the UK, the introduction of malware is covered by section 3 of the Computer Misuse Act. The Act states that a crime is committed if a person “does any act which causes an unauthorised modification of the contents of any computer” and the perpetrator intends to “cause a modification of the contents of any computer” which may “impair the operation of any computer”, “prevent or hinder access to any program or data held in any computer” or “impair the operation of any such program or the reliability of any such data”. The deliberate introduction of any malware will meet any of these requirements by taking memory and processing from the system and feasibly damaging the system. It is also necessary for a successful prosecution to demonstrate a “requisite knowledge”. This “is knowledge that any modification he intends to cause is unauthorised”. With the volume of press coverage concerning the damage that can be caused by malware and the requirements for authorisation, it is highly unlikely that an accused party would be able to successfully argue ignorance as to authorisation.
Malware is generally distributed unintentionally subsequent to its initial creation. Thus an ICP or an ISP would not be found criminally liable under either the Computer Fraud and Abuse Act or the Computer Misuse Act for most cases of dissemination. For the majority of content providers on the Internet, there exists no contractual agreement with users browsing the majority of sites without any prospect of consideration. The consequence being that the only civil action that could succeed for the majority of Internet users would be a claim brought on negligence. Such a claim would have to overcome a number of difficulties even against the primary party who posted the malware let alone going after the ISP.
It would be necessary to demonstrate that the ISP is under a duty of care. The level of care that the provider would be expected to adhere to would be dependant on a number of factors and a matter for the courts to decide and could vary on the commerciality of the provider and the services provided. The standard of due care could lie between a superficial inspection through to a requirement that all software is validated using up-to-date anti-virus software on regular intervals with the court deciding dependant on the facts of the initial case that comes before the courts. The duty of care is likely to be most stringently held in cases where there is a requirement for the site to maintain a minimum standard of care, such as in the case of a payment provider that processes credit cards. Such a provider is contractually required to adhere to the PCI-DSS as maintained by the major credit card companies and would consequently have a greater hurdle in demonstrating that they where not negligent in not maintaining an active anti-virus programme.
Loss of an entirely economic nature cannot be recovered through an action for negligence under UK law. There is a requirement that some kind of “physical” damage has occurred. The CIH or Chernobyl virus was known to overwrite hard-drive sectors or BIOS. This could in some cases render the motherboard of the host corrupt and unusable. In this instance the resultant damage is clearly physical; however, as in the majority of Internet worms, most impact is economic in effect. Further, it remains undecided as to whether damage to software or records and even the subsequent recovery would be deemed as a purely economic loss by the courts.
It may be possible to initiate a claim using the Consumer Protection Act in the UK and the directives that are enforced within the EU. The advantage to this approach is that the act does not base liability on fault. It relies on causation instead of negligence in determining the principal measure of liability. The act rather imposes liability on the “producer” of a “product”. A “producer” under the act includes the classification of importer, but this definition would only be likely to extend to the person responsible for the contaminated software such as the producer or programmer. It also remains arguable as to whether software transmitted electronically forms a “product” as defined under the act.
Prevention is the key
The vast majority of illicit activity and fraud committed across the Internet could be averted or at least curtailed if destination ISP and payment intermediaries implemented effective processes for monitoring and controlling access to, and use of, their networks. Denning (1999) expresses that, "even if an offensive operation is not prevented, monitoring might detect it while it is in progress, allowing the possibility of aborting it before any serious damage is done and enabling a timely response”.
As is being noted above, there are a wide variety of commonly accepted practices, standards and means of ensuring that systems are secured. Many of the current economic arguments used by Internet intermediaries are short-sighted to say the best. The growing awareness of remedies that may be attained through litigation coupled with greater calls for corporate responsibility have placed an ever growing burden on organisations that fail to implement a culture of strong corporate governance. In the short term the economic effects of implementing sound monitoring and security controls may seem high, but when compared to the increasing volume of litigation that is starting to incorporate Internet intermediaries, the option of not securing a system and implement in monitoring begins to pale.
Basically, disclaimers only offer support to other controls. They do not add value in themselves, but do reinforce the value and effect of existing and implemented controls. Those actions noted in the disclaimer need to be followed up on and the execution of these needs to be monitored and recorded. Basically, if you state that you are implementing a control, you need to affirm the control and maintain evidence of this for the notification to be effective.
Disclaimers are not a control in themselves, but add weight and enhance other controls that have been deployed. There will always be times when Anti-Virus fails; staff send documents they have no rights to send and more. If the organisation maintains and is vigilant with other controls, a disclaimer adds weight to help defend an action in tort for negligence and also be used to deflect liability from the organisation as a whole and to return it to the infringer, where it should lie.
Disclaimers do have value but only in selected instances. Disclaimers can enhance the value of existing controls but likewise detract from cases where there are no controls.
 Mann, R. & Belzley, S (2005) “The Promise of the Internet Intermediary Liability” 47 William and Mary Law Review 1
 Spar, D. (2001) at 11-12
 47 U.S.C. § 230(c)(1) (2004) (This sections details the requirements of the CDA that do not apply to ISPs).
 907 F. Supp. 1361 (N.D. Cal. 1995)
 See also, System Corp. v Peak Computer Co., F.2d 511 (9th Cir. 1993), in which it was held that the creation of ephemeral copies in RAM by a third party service provider which did not have a license to use the plaintiff’s software was copyright infringement.
 Statutory Instrument 2002 No. 2013
 The act states that an ISP must act “expeditiously to remove or to disable access to the information he has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network”. The lack of response from Netcom would abolish the protections granted under this act leaving an ISP liable to the same finding.
.With some minor exceptions, other countries have also seen broad liability exemptions for internet intermediaries as the appropriate response to judicial findings of liability. The United Kingdom Parliament took no action after the Queen’s Bench in Godfrey v. Demon Internet Ltd, QBD,  QB 201, held an Internet service provider liable as the publisher at common law of defamatory remarks posted by a user to a bulletin board. In the U.S., §230 of the CDA would prevent such a finding of liability. Similarly, courts in France have held ISPs liable for copyright infringement committed by their subscribers. See Cons. P. v. Monsieur G., TGI Paris, Gaz. Pal. 2000, no. 21, at 42–43 (holding an ISP liable for copyright infringement for hosting what was clearly an infringing website).
In 2000, however, the European Parliament passed Directive 2000/31/EC, available at http://europa.eu.int/eur-lex/pri/en/oj/dat/2000/l_178/l_17820000717en00010016.pdf, which in many ways mimics the DMCA in providing immunity to ISPs when they are acting merely as conduits for the transfer of copyrighted materials and when copyright infringement is due to transient storage. Id. Art. 12, 13. Further, the Directive forbids member states from imposing general duties to monitor on ISPs. Id. Art. 15. This Directive is thus in opposition to the British and French approaches and requires those countries to respond statutorily in much the same fashion as Congress responded to Stratton Oakmont and Religious Technology Centers. Of course courts are always free to interpret the Directive or national legislation under the Directive as not applying to the case at hand. See, e.g., Perathoner v. Pomier, TGI Paris, May 23, 2001 (interpreting away the directive and national legislation in an ISP liability case).
Canada has passed legislation giving ISPs immunity similar to the DMCA. See Copyright Act, R.S.C., ch. C-42, §2.4(1)(b) (stating “a person whose only act in respect of the communication of a work or other subject-matter to the public consists of providing the means of telecommunication necessary for another person to so communicate the work or other subject-matter does not communicate that work or other subject-matter to the public”). The Canadian Supreme Court interpreted this provision of the Copyright Act to exempt an ISP from liability when it acted merely as a “conduit.” Soc’y of Composers, Authors and Music Publishers of Can. v. Canadian Assoc. of Internet Providers,  S.C.C. 45, 240 D.L.R. (4th) 193, ¶92. The court in that case also interpreted the statute to require something akin to the takedown provision of the DMCA. See id. at ¶110.
.Pub. L. No. 105- 304, 112 Stat. 2860 (1998) (codified in scattered sections of 17 U.S.C.).
In the US, the Trademark Act of 1946, statutes § 1114 and § 1125 are specific to trademark infringement.
 As reported in the UK Telegraph by Kathy Marks on the 20th Apr 95. The policeman is quoted: "...If this had got out unchecked it could have done me serious professional harm. I am in a position of extreme trust and there has got to be no doubt...that I am 100 percent trustworthy".
 Cubby v CompuServe, 776 F.Supp.135 (S.D.N.Y. 1991). Another case, this time involving AOL was that of Kenneth Zeran v America On-line Incorporated heard by the United States Court of Appeals for the 4th Circuit (No. 97-1523 which was decided in November 1997). This was a case against AOL for unreasonably delaying in removing defamatory messages. The Court in 1st Instance and the Court of Appeal found for AOL.
 Compuserve offered an electronic news service named “Rumorville”. This was prepared and published by a third party and distributed over the CompuServe network.
 (NY Sup Ct May 24,1995)
 Communications Decency Act
 The was first made to include those postings even when that material is protected under the US Constitution. This has been subsequently amended.
 The EU Electronic Commerce Directive (No. 2000/31/EC) has now specifically limited the liability of an ISP to where it has been informed of a defamatory posting and has failed to remove it promptly as was the situation in Demon Internet. Lawrence Godfrey v Demon Internet Limited (unreported Queens Bench Division - 26th March, 1999)
 Western Provident v. Norwich Union (The Times Law Report, 1997).
 Godfrey v Demon Internet Ltd, QBD,  4 All ER 342,  3 WLR 1020;  QB 201; Byrne v Deane  2 All ER 204 was stated to apply.
 Godfrey v Demon Internet Limited  4 All.E.R.342
 Rindos v. Hardwicke No. 940164, March 25, 1994 (Supreme Ct. of West Australia) (Unreported); See also Gareth Sansom, Illegal and Offensive Content on the Information Highway (Ottawa: Industry Canada, 1995)
 Ibid, it was the decision of the court that no difference in the context of the Internet News groups and bulletin boards should be held to exist when compared to conventional media. Thus, any action against a publisher is valid in the context of the Internet to the same extent as it would be should the defamatory remark been published in say a newspaper.
 RECORDING INDUSTRY ASSOCIATION OF AMERICA, INC., (RIAA) v. Verizon Internet Services, 351 F.3d 1229 (DC Cir. 2003); See also Godfrey v Demon Internet
 ; Further, in the US, the Digital Millennium Copyright Act’s (DMCA’s) “good faith” requirement may not require “due diligence” or affirmative considerations of whether the activity is protected under the fair-use doctrine. In contrast, FRCP 11 requires “best of the signer’s knowledge, information and belief formed after reasonable inquiry, it is well grounded in fact and is warranted by existing law…”. Additionally, with the DMCA, penalties attach only if the copyright owner “knowingly, materially” misrepresents an infringement, so the copyright owner is motivated to not carefully investigate a claim before seeking to enforce a DMCA right.
 Brown & Lehman (1995) (The paper considers the arguments to creating an exception to the general rule of vicarious liability in copyright infringement for ISPs and those that reject this approach), available at http://www.uspto.gov/web/offices/com/doc/ipnii/ipnii.pdf.
 Thompson v Australian Capital Television, (1996) 71 ALJR 131
 See also “Google pulls anti-scientology links”, March 21, 2002, Matt Loney & Evan Hansen , www.News.com, Cnet, http://news.com.com/2100-1023-865936.html; “Google Yanks Anti-Church Site”, March 21, 2002, Declan McCullagh, Wired News, http://wired.com/news/politics/0,1283,51233,00.html; “Church v. Google How the Church of Scientology is forcing Google to censor its critics”, John Hiler, Microcontent News, March 21, 2002, http://www.microcontentnews.com/articles/googlechurch.htm; Lawyers Keep Barney Pure, July 4, 2001, Declan McCullagh, Wired News, http://www.wired.com/news/digiwood/0,1412,44998,00.html.
 See Reidenberg, J (2004) “States and Internet Enforcement”, 1 UNIV. OTTAWA L. & TECH. J. 1
 s.91(1) of Schedule 5 to the Broadcasting Services Act states:
(i) subjects, or would have the effect (whether direct or indirect) of subjecting, an internet content host/internet service provider to liability (whether criminal or civil) in respect of hosting/carrying particular internet content in a case where the host/provider was not aware of the nature of the internet content; or
(ii) requires, or would have the effect (whether direct or indirect) of requiring, an internet content host/internet service provider to monitor, make inquiries about, or keep records of, internet content hosted/carried by the host/provider.
 The Broadcasting Services Act specifically excludes e-mail, certain video and radio streaming, voice telephony and discourages ISP's and ICH's from monitoring content by the nature of the defense. See also, Eisenberg J, 'Safely out of site: the impact of the new online content legislation on defamation law' (2000) 23 UNSW Law Journal; Collins M, 'Liability of internet intermediaries in Australian defamation law' (2000) Media & Arts Law Review 209.
 See also EFA, Defamation Laws & the Internet
 Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030; There is an obligation for prosecution under the CFAA that a non-public computer is damaged where the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information.
 Computer Misuse Act 1990 (c. 18), 1990 CHAPTER 18
 The PCI-DSS at section 5 requires that “Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software.”
 Scandariato, R.; Knight, J.C. (2004) “The design and evaluation of a defense system for Internet worms” Proceedings of the 23rd IEEE International Symposium on Reliable Distributed Systems, 2004. Volume, Issue, 18-20 Oct. 2004 Page(s): 164 - 173
 The Consumer Protection Act 1987 (Product Liability) (Modification) Order 2000 (Statutory Instrument 2000 No. 2771)
 See also, Electronic Commerce (EC Directive) Regulations 2002, SI 2000/2013 and the provisions of the Product Liability Directive (85/374/EEC)
 Dorothy E. Denning, Information Warfare and Security, ACM Press, New York, 1999
 See for instance Hazen (1977); Gagnon, Macklin & Simons (2003) and Slawotsky (2005)